Skip to Content
0

RZ20 Display-only

Feb 22, 2017 at 07:20 AM

107

avatar image

I added the trnaction RZ20 and assigned authority object S_RZL_ADM with activity 03 (Display only) to a role.
Even having only display authorization this user is allowed to change (delete,save,copy.etc) the method.
What did I miss to allow the it as display-only authorization?

Thank you.

Jhiosa

10 |10000 characters needed characters left characters exceeded

Hi Maria,

Your question is mis-tagged, as this is about authorizations, not NetWeaver. So, I have moved it to "NW ABAP User Administration and Authorization." I notice you have another outstanding question which also seems to be more about security and authorizations, so I'm going to move that one as well (https://answers.sap.com/questions/126351/index.html).

Cheers,
Matt

0
* Please Login or Register to Answer, Follow or Comment.

4 Answers

Matt Fraser
Feb 22, 2017 at 11:37 PM
0

Have you confirmed that the user isn't getting the extra authorizations from another role assignment?

Share
10 |10000 characters needed characters left characters exceeded
Maria Jhiosa Vergara Mar 02, 2017 at 02:29 AM
0

HI Fraser,

Thank you for responding the mis-tagged. I checked the other related authorization and that they are all in display access.

I was informed that I can implement the attached note 2382409 - Optimization of authority concept in RZ20 to be able to access RZ20 as Display-only role.

Share
10 |10000 characters needed characters left characters exceeded
avatar image
Former Member
Mar 02, 2017 at 11:55 PM
0

Note that the S_RZL_ADM concept is slightly tricky: You can execute external OS programs with this authorization. When doing so from ABAP, the application executing the program must decide whether the external program is relatively harmless and does not change anything (ACTVT = '03') or whether it contains functions which are potentially critical or can start any external program (ACTVT = '01').

SM36 for example only checks '01', as outside of logical commands, it cannot know or control what the external program does. In contrast, if the application runs a specific external program and knows what is does and classes it as non-critical, then it should check '03'.

But those are the only two values available and non-critical does not necessarily mean display only.

So you are sometimes stuck between a rock and a hard place...

Best practice is to use S_LOG_COM or an auth object closer to the application within the application and then let the OS access (like the DB access) be authorization neutral.

Cheers,

Julius

Share
10 |10000 characters needed characters left characters exceeded
avatar image
Former Member Apr 03, 2017 at 02:57 PM
0

Hi Jhiosa,

You can set a trace (Transaction ST01) for your user to know which authorization objects allow to you to do it.

After that you can check in transaction SUIM what this is the role assigned to you that contains this authorization object.

Kind regards,

Maria

Share
10 |10000 characters needed characters left characters exceeded